wannacry | 9bcf631b31c8b3532b67a5541b103d4085f07f59fe00f125b909da725eb14843

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 15:08

Target

2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe
Size

5.0MB
MD5

5e4141fca37ba4bf2597da77151260fd
SHA1

8461490ea75a3c63b18d941108a8d882770e27fe
SHA256

9bcf631b31c8b3532b67a5541b103d4085f07f59fe00f125b909da725eb14843
SHA512

771681b123fe13538c03723bcc9afd4b184cd1902fcf3696a71b21c563cf4e5f5909dde09df124f5d846683c4ac6ac8df9d1ba86b4fad209bd61574c89149a46
SSDEEP

49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEa:yDqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3326) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2696 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 1 IoCs

Processes:

2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe

pid	process
2696	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe"
1⤵
- Drops file in Windows directory
PID:872

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:2696

C:\Users\Admin\AppData\Local\Temp\2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-07-02_5e4141fca37ba4bf2597da77151260fd_wannacry.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:4644

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b2b84e43744a61a66fce483b83620cd3

SHA1
71a2e4e78034003b397a1f4b5ffcc850c622ab5f

SHA256
14aa8cceab2da19684c23b2cc334ab4fbd04c5902b14b75cbdbda9366af88647

SHA512
a7afe34a4390b547d2a08634592d173970d7c01cc0f6cec50917f8e24b6d042b1a9e18bf8ecb7603426a44d0a45149b159301bc543a10f9fa1ca7509f5bbbd4b

Download Submit